CNAME Records with DNS caching and Umbrella

This KBA is targeted at users of DNS caching servers where DNS resolution does not match expected policy and reporting for CNAME record domains. Example DNS caching servers include BIND with caching enabled and Infoblox.

Impact

The observed impact is DNS resolution that does not match policy of DNS records where a whitelisted A-record request is answered by a CNAME reference to another A-record on a different, blocked domain.

For example, domain.com is whitelisted and blocked.com is blocked and domain.com is a CNAME record pointing to blocked.com which has an A-record. The issue will present itself as an allowed domain being blocked with no such event logged on the Dashboard.

Cause

The root cause of this issue is DNS caching for CNAME records pointing to a different domain, where the target domain is blocked. Since the domain is whitelisted, the Umbrella resolvers will flag the entire query as whitelisted, carrying down the CNAME chain. This results in an allowed query.

Since different domains vary in TTL, and Umbrella block records for malicious categories have a TTL of zero, caching will interfere.

Here we will use the scenario where domain.com is whitelisted and blocked.com is blocked and domain.com is a CNAME record pointing to blocked.com which has an A-record.